Security built for
attorney-client privilege
Legal data is among the most sensitive in the world. FRITH is designed from the ground up with confidentiality, data sovereignty, and compliance as first principles — not afterthoughts.
Compliance & Certifications
Independently verified. Updated annually. Available under NDA.
SOC 2 Type II
Annual third-party audits verifying our security, availability, processing integrity, confidentiality, and privacy controls. Full report available under NDA.
GDPR Compliant
Full EU General Data Protection Regulation compliance including Data Processing Agreements, data subject rights (access, erasure, portability), and cross-border transfer mechanisms.
ISO 27001
International standard for information security management systems. Certified controls across risk management, asset security, access control, and incident response.
CCPA / CPRA
California Consumer Privacy Act compliance for US users, including opt-out rights, data sale prohibitions, and annual data access requests.
HIPAA Ready
BAA available for legal professionals handling healthcare matters. Technical, physical, and administrative safeguards aligned with HIPAA requirements.
Cyber Essentials Plus
UK government-backed certification. Independently verified controls for firewalls, secure configuration, access control, malware protection, and patch management.
Infrastructure Security
Built on enterprise cloud infrastructure with multiple layers of protection.
AES-256 Encryption at Rest
All stored data — documents, messages, matter details — is encrypted using AES-256. Database-level encryption with automated key rotation every 90 days.
TLS 1.3 in Transit
All data transmitted between your browser or app and FRITH servers is protected with TLS 1.3. We enforce HSTS and reject legacy protocols.
Multi-Region Infrastructure
Hosted on AWS across US East (Virginia), EU West (Ireland), and AP Southeast (Sydney). Data residency selection available on Enterprise plans.
Automated Backups
Continuous database backups with point-in-time recovery up to 30 days. Encrypted backups stored in geographically separate regions.
DDoS Protection
AWS Shield Advanced with always-on traffic monitoring and automatic mitigation. 99.9% uptime SLA backed by enterprise infrastructure.
Incident Response
Dedicated security incident response team with 2-hour response SLA for critical issues. Customers notified within 72 hours of any breach per GDPR requirements.
Access Controls & Identity
Granular permissions, SSO, MFA, and audit trails — built for multi-user law firms.
Role-Based Access Control (RBAC)
Granular permissions across admin, attorney, paralegal, billing, and client roles. Custom roles available on Enterprise plans.
Multi-Factor Authentication
TOTP authenticator app, SMS, and hardware key (WebAuthn/FIDO2) support. MFA can be enforced organisation-wide by admins.
SAML 2.0 SSO
Single sign-on via Microsoft Entra ID, Google Workspace, Okta, OneLogin, and any SAML 2.0 compliant identity provider.
Immutable Audit Logs
Every login, document access, AI query, matter update, and billing action is logged with timestamp, IP, and user identity — tamper-proof and exportable.
Row-Level Data Isolation
Multi-tenant architecture with row-level security in PostgreSQL. Each organisation's data is completely isolated — no cross-tenant access possible.
Bring Your Own Key (BYOK)
Connect your own OpenAI, Anthropic, or Gemini API keys. FRITH acts as a secure passthrough — your prompts and responses never touch our AI infrastructure.
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it to security@frithai.com. We commit to acknowledging reports within 24 hours, providing a timeline within 72 hours, and crediting researchers who responsibly disclose verified vulnerabilities.
Please do not publicly disclose findings before we have had the opportunity to assess and remediate.
Security FAQ
Does FRITH train AI models on my data?
No. Your data is never used to train AI models. When using FRITH's managed AI, requests are processed in real-time and not stored by the AI provider. With BYOK, data flows directly from your browser to your chosen AI provider — FRITH never sees it.
Where is my data stored?
By default, data is stored in US East (AWS us-east-1). Enterprise customers can select EU (eu-west-1) or AP (ap-southeast-2) residency. All regions use AES-256 encryption at rest.
Can I export or delete all my data?
Yes. You can export all matters, documents, and communications at any time from your account settings. Full account deletion is available and completes within 30 days, with confirmation provided.
Do you sign Data Processing Agreements?
Yes. DPAs are available on all paid plans. Enterprise customers receive a customised DPA reviewed by our legal team. Contact legal@frithai.com to initiate.
What happens during a security incident?
Our incident response team is alerted immediately via automated monitoring. Affected customers are notified within 72 hours. Full post-incident reports are shared for any incident above severity level 2.
Questions about our security practices?
Our security team responds within 24 hours.